Hi Mahesh,
Thank you for pointing out the issue with the draft name. I will correct the filename in the next submission round. I appreciate your attention to this.
Regarding your focused point, I’d like to provide a brief summary to help clarify how the SAV-D device differs from traditional SAV, from both operational and security perspectives:
In discussions with several Chinese ISPs and campus network operators, many have expressed reluctance to deploy SAV devices because they directly drop detected spoofed packets, potentially blocking legitimate traffic. In contrast, the SAV-D architecture does not drop the packets immediately. Instead, it forwards packet information to a centralized controller as threat intelligence. This mechanism offers several advantages:
1) Global Threat Visibility: The SAV-D controller gathers distributed threat information, providing a global view of the attack landscape. This helps security operators fine-tune policies with a broader perspective.
2) Improved Detection Accuracy: The global threat intelligence enhances detection accuracy, as shown in our experiments (please refer to our paper: SAV-D: Defending DDoS with Incremental Deployment of SAV [https://www.computer.org/csdl/magazine/ic/2023/03/10122643/1N27smb5qlW]). This improved accuracy can encourage wider SAV deployment.
3) Interoperability with Legacy Systems: Beyond SAV devices, legacy routers and victim defense systems also benefit from this architecture. By connecting to the SAV-D controller, these systems can send threat data via the YANG Data Model. The controller, in turn, distributes filtering rules and threat information to them through DOTS Telemetry, accelerating their detection capabilities.
I hope this provides useful context ahead of your review of the document.
Best regards,
Mingzhe
Thank you for pointing out the issue with the draft name. I will correct the filename in the next submission round. I appreciate your attention to this.
Regarding your focused point, I’d like to provide a brief summary to help clarify how the SAV-D device differs from traditional SAV, from both operational and security perspectives:
In discussions with several Chinese ISPs and campus network operators, many have expressed reluctance to deploy SAV devices because they directly drop detected spoofed packets, potentially blocking legitimate traffic. In contrast, the SAV-D architecture does not drop the packets immediately. Instead, it forwards packet information to a centralized controller as threat intelligence. This mechanism offers several advantages:
1) Global Threat Visibility: The SAV-D controller gathers distributed threat information, providing a global view of the attack landscape. This helps security operators fine-tune policies with a broader perspective.
2) Improved Detection Accuracy: The global threat intelligence enhances detection accuracy, as shown in our experiments (please refer to our paper: SAV-D: Defending DDoS with Incremental Deployment of SAV [https://www.computer.org/csdl/magazine/ic/2023/03/10122643/1N27smb5qlW]). This improved accuracy can encourage wider SAV deployment.
3) Interoperability with Legacy Systems: Beyond SAV devices, legacy routers and victim defense systems also benefit from this architecture. By connecting to the SAV-D controller, these systems can send threat data via the YANG Data Model. The controller, in turn, distributes filtering rules and threat information to them through DOTS Telemetry, accelerating their detection capabilities.
I hope this provides useful context ahead of your review of the document.
Best regards,
Mingzhe
---- Replied Message ----
| From | Mahesh Jethanandani<[email protected]> |
| Date | 10/22/2024 05:41 |
| To | 邢铭哲<[email protected]> |
| Cc | [email protected]<[email protected]> |
| Subject | [OPSAWG]Re: Request for Comments on Draft "SAV-based Anti-DDoS Architecture" |
Hi Mingzhe,
At the minimum, you need to rename the draft to draft-cui-opsawg-savnet-anti-ddos for it to land in the OPSAWG list of documents.
Cheers.
p.s. I have not read the document, but I hope it addresses how a SAV-D device is better than SAV from an operational and security considerations perspective.
On Oct 18, 2024, at 12:39 AM, 邢铭哲 <[email protected]> wrote:_______________________________________________
Dear OPSAWG Experts,
We have submitted a draft titled "SAV-based Anti-DDoS Architecture" (https://datatracker.ietf.org/doc/draft-cui-savnet-anti-ddos/), which focuses on enhancing security operations to defend against DDoS attacks using a SAV-D controller. The draft is motivated by the observation that spoofed IP addresses can lead to severe DDoS attacks. While Source Address Validation (SAV) schemes are an effective means of mitigating such attacks, the limited deployment of SAV devices impairs their overall performance.
In this context, we propose the SAV-D architecture to leverage information from both SAV and non-SAV devices. This approach improves detection accuracy and incentivizes broader deployment of SAV devices. Specifically, the architecture allows SAV honeypots, legacy routers, and victim defense systems to interact with the SAV-D controller, retrieving comprehensive threat intelligence to inform defense strategies. Furthermore, the SAV honeypots report malicious packet information to the SAV-D controller, enabling data analysis and the creation of global threat intelligence. The SAV-D controller can also provide comprehensive attack situation awareness, helping operators manage their networks more effectively. Our draft introduces the overall architecture of the SAV-D controller, the interaction with devices, the data transmission protocol, workflow, deployment strategies, and examples of connections.
Based on SAV-D, we have set up a small-scale experimental environment and validated the effectiveness of the framework against reflective DDoS attacks. The details can be found in the paper(SAV-D: Defending DDoS with Incremental Deployment of SAV ).
This draft offers a practical operational solution for defending against spoofed IP DDoS attacks while utilizing existing SAV devices, legacy routers, and victim defense mechanisms. We submit this to OPSAWG and look forward to your valuable feedback to improve the draft.Best regards,Mingzhe
OPSAWG mailing list -- [email protected]
To unsubscribe send an email to [email protected]
_______________________________________________ OPSAWG mailing list -- [email protected] To unsubscribe send an email to [email protected]
